Discovered: March 28, 2006
Updated: March 29, 2006 6:54:22 AM
Also Known As: PE_DETNAT.A [Trend], PE_DETNAT.B [Trend], W32/Detnat.a [McAfee], Detnat.A [Panda Software]
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows NT, Windows 2000
W32.Detnat is a virus that searches network shares and infects executable files. It also downloads and executes PWSteal.Lineage (MCID 4130) from predetermined Web sites.
Once executed, it creates the following file:
%System%\voot.sys
The virus then creates the following registry entries to create a service called "delphi":
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\delphi
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\delphi
The service uses rootkit technology to hide itself from the user.
The virus downloads files from the following Web sites:
http://www.yettz.com/media/image/re.woshttp://www.cinetown.co.kr/mpg/asx/mvp.woshttp://www.cinetown.co.kr/dacom/images/pop.wosThe virus then saves and executes the downloaded files as %System%\netrun[RANDOM NUMBER].exe. These files are variants of PWSteal.Lineage.
The virus drops the original host file in the %Temp% folder and executes it.
The virus then searches local drives and network shares for executable files and infects the files.
Writeup By: Kaoru Hayashi
Technorati
Digg
Delicious
Reddit
StumbleUpon
Yahoo Buzz
Twitter
Facebook
Newsvine